730 lines
47 KiB
JSON
730 lines
47 KiB
JSON
{
|
||
"schema_version": "security_mirror_status_rollup_v1",
|
||
"status": "draft",
|
||
"date": "2026-05-17",
|
||
"mode": "mirror_only",
|
||
"rollup_status": "framework_ready_waiting_approval",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
|
||
"docs/security/security-mirror-readiness.snapshot.json",
|
||
"docs/security/security-mirror-intake-plan.snapshot.json",
|
||
"docs/security/security-mirror-route.snapshot.json",
|
||
"docs/security/security-mirror-acceptance.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json",
|
||
"docs/security/security-mirror-dry-run.snapshot.json",
|
||
"docs/security/security-approval-queue.snapshot.json",
|
||
"docs/security/security-approval-gate.snapshot.json",
|
||
"docs/security/security-approval-decision-record.snapshot.json",
|
||
"docs/security/security-approval-review-packet.snapshot.json",
|
||
"docs/security/security-approval-state-transition.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
|
||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/source-control-primary-rollback-adr.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
|
||
"docs/security/security-rollout-policy.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"total_contracts": 35,
|
||
"ready_for_mirror_count": 32,
|
||
"partial_ready_count": 2,
|
||
"contract_only_count": 1,
|
||
"blocked_count": 0,
|
||
"approval_queue_total": 8,
|
||
"approval_review_packet_total": 8,
|
||
"approval_state_transition_rule_total": 5,
|
||
"followup_runtime_gate_template_total": 8,
|
||
"active_runtime_gate_count": 0,
|
||
"gitea_inventory_status": "partial_waiting_authenticated_inventory",
|
||
"gitea_inventory_public_only_repo_count": 2,
|
||
"gitea_inventory_local_gitea_repo_count": 4,
|
||
"gitea_inventory_export_source_option_count": 2,
|
||
"gitea_inventory_token_value_collection_allowed": false,
|
||
"gitea_inventory_import_acceptance_status": "draft_waiting_redacted_inventory_payload",
|
||
"gitea_inventory_import_acceptance_payload_count": 0,
|
||
"gitea_inventory_import_acceptance_quarantine_required": true,
|
||
"gitea_inventory_import_acceptance_execution_authorized": false,
|
||
"gitea_inventory_coverage_attestation_status": "draft_waiting_owner_attestation",
|
||
"gitea_inventory_coverage_attestation_required_count": 5,
|
||
"gitea_inventory_coverage_attestation_received_count": 0,
|
||
"gitea_inventory_coverage_attestation_execution_authorized": false,
|
||
"primary_readiness_candidate_repo_count": 8,
|
||
"github_primary_ready_count": 0,
|
||
"ref_truth_owner_response_template_count": 5,
|
||
"ref_truth_owner_received_response_count": 0,
|
||
"ref_truth_owner_accepted_response_count": 0,
|
||
"ref_truth_owner_rejected_response_count": 0,
|
||
"ref_truth_refs_sync_authorized": false,
|
||
"ref_truth_refs_delete_authorized": false,
|
||
"ref_truth_force_push_authorized": false,
|
||
"primary_rollback_adr_repo_plan_count": 7,
|
||
"primary_rollback_adr_owner_approved_count": 0,
|
||
"primary_rollback_adr_dry_run_completed_count": 0,
|
||
"primary_rollback_execution_authorized": false,
|
||
"workflow_secret_inventory_candidate_repo_count": 8,
|
||
"workflow_secret_inventory_complete_count": 0,
|
||
"workflow_secret_inventory_local_evidence_repo_count": 4,
|
||
"workflow_secret_inventory_local_workflow_file_count": 31,
|
||
"workflow_secret_inventory_unique_secret_name_count": 43,
|
||
"workflow_secret_inventory_export_request_count": 7,
|
||
"workflow_secret_inventory_export_lane_count": 5,
|
||
"workflow_secret_owner_response_template_count": 5,
|
||
"workflow_secret_owner_received_response_count": 0,
|
||
"workflow_secret_owner_accepted_response_count": 0,
|
||
"workflow_secret_owner_rejected_response_count": 0,
|
||
"owner_response_validation_packet_count": 4,
|
||
"owner_response_validation_lane_count": 4,
|
||
"owner_response_validation_template_count": 22,
|
||
"owner_response_validation_received_count": 0,
|
||
"owner_response_validation_accepted_count": 0,
|
||
"owner_response_validation_rejected_count": 0,
|
||
"owner_response_validation_cross_packet_check_count": 10,
|
||
"owner_response_validation_quarantine_required": true,
|
||
"workflow_secret_inventory_write_token_allowed": false,
|
||
"workflow_secret_modification_authorized": false,
|
||
"workflow_secret_github_hosted_runner_enable_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"secret_value_detected": false,
|
||
"pending_approval_count": 7,
|
||
"block_candidate_count": 1,
|
||
"dry_run_status": "contract_defined_not_executed",
|
||
"runtime_actions_executed": false,
|
||
"payloads_ingested": false
|
||
},
|
||
"progress_estimate": {
|
||
"overall_percent": 58,
|
||
"framework_percent_min": 80,
|
||
"framework_percent_max": 85,
|
||
"runtime_landing_percent_min": 35,
|
||
"runtime_landing_percent_max": 40,
|
||
"basis": [
|
||
"35 個主要 contract 中 32 個 ready、2 個 partial、1 個 contract-only、0 個 blocked。",
|
||
"S0/S2/S3/S4 多數治理、鏡像、人工批准與 source-control readiness 契約已完成草案。",
|
||
"owner responses、redacted payload ingestion、active runtime gate、GitHub primary readiness 與 AwoooP production ingestion 仍未完成或尚未批准。"
|
||
],
|
||
"interpretation": "目前處於健康的框架期後段;骨架接近完成,但仍刻意維持低摩擦,不把 read-only evidence 誤升級成 runtime enforcement。",
|
||
"not_authorization": true
|
||
},
|
||
"phase_status": [
|
||
{
|
||
"phase_id": "S0_contracts_and_boundaries",
|
||
"state": "completed",
|
||
"current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立。",
|
||
"next_gate": "AwoooP 只讀 mirror 消費。"
|
||
},
|
||
{
|
||
"phase_id": "S1_readonly_inventory",
|
||
"state": "in_progress",
|
||
"current_result": "已完成多項 read-only evidence;S4.5 已補 Gitea authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,但 private/internal 全量 repo list 仍需批准後補齊。",
|
||
"next_gate": "先取得 owner scope decision / coverage attestation,再等待只讀 token 或 redacted admin export owner approval;收到 payload 後先依 S4.6 驗收與隔離規則檢查,仍不得保存 token value。"
|
||
},
|
||
{
|
||
"phase_id": "S2_mirror_only_consumption",
|
||
"state": "draft_ready",
|
||
"current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
|
||
"next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence,不新增 execution router。"
|
||
},
|
||
{
|
||
"phase_id": "S3_approval_gate",
|
||
"state": "draft_ready",
|
||
"current_result": "Approval queue 已列出 8 個候選,security_approval_gate_v1 已定義人工 gate,security_approval_decision_record_v1 已定義決策紀錄格式,security_approval_review_packet_v1 已定義人工審查封包,security_approval_state_transition_v1 已定義決策狀態轉移語義,security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板;S4.8 已把 Gitea queue/gate/review packet/follow-up gate 對齊 S4.7 owner attestation 先行。",
|
||
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea owner attestation + read-only inventory;review packet、decision record、state transition 與 follow-up runtime gate template 都不等於執行授權。"
|
||
},
|
||
{
|
||
"phase_id": "S4_migration_execution",
|
||
"state": "not_started",
|
||
"current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.13 已補四包 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes 與 4 個 reviewer audit event templates,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9/S4.11/S4.12 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆,S4.13 reviewer audit templates 也仍為 emitted=0。",
|
||
"next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes 與 4 個 reviewer audit event templates,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates、依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。"
|
||
}
|
||
],
|
||
"progress_display_policy": {
|
||
"headline_percent": 58,
|
||
"headline_status": "holding_until_owner_response_or_runtime_gate",
|
||
"why_headline_is_holding": [
|
||
"最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates 的框架細節,改善可見性、收件安全與稽核格式,但 owner response received / accepted 仍為 0。",
|
||
"overall_percent 只在 owner response、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 這些高層 gate 有實質變化時調整。",
|
||
"維持 58% 是為了避免把 read-only scaffold 誤算成 runtime enforcement、Kali scan、repo migration 或 GitHub primary cutover。"
|
||
],
|
||
"recent_micro_progress_visible": true,
|
||
"headline_can_increase_after": [
|
||
"S4.9 Gitea owner attestation response received/accepted 有實際脫敏 evidence",
|
||
"S4.10 GitHub target owner / visibility / canonical response received/accepted 有實際脫敏 evidence",
|
||
"S4.11 refs truth owner response received/accepted 有實際脫敏 evidence",
|
||
"S4.12 workflow / secret name owner response received/accepted 有實際脫敏 evidence",
|
||
"redacted payload ingestion 或 active runtime gate 在人工批准後啟用",
|
||
"GitHub primary readiness gate 的 primary_ready_count 大於 0"
|
||
],
|
||
"runtime_execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
"progress_delta_ledger": [
|
||
{
|
||
"delta_id": "s4_10_owner_response_request_packet",
|
||
"display_order": 1,
|
||
"completed_stage": "S4.10 GitHub target owner response request packet",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "request packet 只讓 AwoooP 顯示 owner 要回覆什麼,不代表 request sent、response received 或 approval。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_10_owner_response_template_status_ledger",
|
||
"display_order": 2,
|
||
"completed_stage": "S4.10 GitHub target owner response template status ledger",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "template status ledger 只逐項顯示 7 個 target 仍為 waiting_owner_response,received / accepted 皆為 0。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_10_owner_response_audit_event_templates",
|
||
"display_order": 3,
|
||
"completed_stage": "S4.10 GitHub target owner response audit event templates",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "audit event templates 仍為 template_only_not_emitted,emitted_event_count=0,尚未啟用 production ingestion。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_10_owner_response_redaction_examples",
|
||
"display_order": 4,
|
||
"completed_stage": "S4.10 GitHub target owner response redaction examples",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "redaction examples 只示範安全 metadata shape,不代表 owner response 已收到、已接受或授權 repo / refs / primary 操作。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_10_owner_response_collection_checks",
|
||
"display_order": 5,
|
||
"completed_stage": "S4.10 GitHub target owner response collection checks",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到、已接受或授權 repo / refs / primary 操作。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_10_owner_response_intake_preflight_checks",
|
||
"display_order": 6,
|
||
"completed_stage": "S4.10 GitHub target owner response intake preflight checks",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "intake preflight checks 只分類可收、補證、隔離或拒收,不代表 owner response 已 accepted 或授權 repo / refs / primary 操作。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_11_ref_truth_owner_response_request_packet",
|
||
"display_order": 7,
|
||
"completed_stage": "S4.11 refs truth owner response request packet",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "request packet 只讓 AwoooP 顯示 owner 要回覆哪 5 類 refs truth 問題,不代表 request sent、response received、accepted 或 refs sync/delete/force push 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_11_ref_truth_owner_response_template_status_ledger",
|
||
"display_order": 8,
|
||
"completed_stage": "S4.11 refs truth owner response template status ledger",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "template status ledger 只逐項顯示 5 類 refs truth response 仍為 waiting_owner_response,received / accepted 皆為 0,不代表 refs sync/delete/force push 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_11_ref_truth_owner_response_audit_event_templates",
|
||
"display_order": 9,
|
||
"completed_stage": "S4.11 refs truth owner response audit event templates",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "audit event templates 仍為 template_only_not_emitted,emitted_event_count=0,尚未啟用 production ingestion,也不代表 refs sync/delete/force push 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_11_ref_truth_owner_response_redaction_examples",
|
||
"display_order": 10,
|
||
"completed_stage": "S4.11 refs truth owner response redaction examples",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "redaction examples 只示範安全 metadata shape,不代表 owner response 已收到、已接受或授權 refs sync/delete/force push。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_11_ref_truth_owner_response_collection_checks",
|
||
"display_order": 11,
|
||
"completed_stage": "S4.11 refs truth owner response collection checks",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到、已接受或授權 refs sync/delete/force push。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_11_ref_truth_owner_response_intake_preflight_checks",
|
||
"display_order": 12,
|
||
"completed_stage": "S4.11 refs truth owner response intake preflight checks",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "intake preflight checks 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或授權 refs sync/delete/force push。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_12_workflow_secret_name_owner_response_request_packet",
|
||
"display_order": 13,
|
||
"completed_stage": "S4.12 workflow / secret 名稱 owner response request packet",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "request packet 只讓 AwoooP 顯示 owner 要回覆哪 5 類 workflow / secret 名稱問題,不代表 request sent、response received、secret value collection、workflow 修改、runner 啟用或 GitHub primary 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_12_workflow_secret_name_owner_response_template_status_ledger",
|
||
"display_order": 14,
|
||
"completed_stage": "S4.12 workflow / secret 名稱 owner response template status ledger",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "template status ledger 只逐項顯示 5 類 workflow / secret 名稱 response 仍為 waiting_owner_response,received / accepted 皆為 0,不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_12_workflow_secret_name_owner_response_audit_event_templates",
|
||
"display_order": 15,
|
||
"completed_stage": "S4.12 workflow / secret 名稱 owner response audit event templates",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "audit event templates 仍為 template_only_not_emitted,emitted_event_count=0,尚未啟用 production ingestion,也不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_12_workflow_secret_name_owner_response_redaction_examples",
|
||
"display_order": 16,
|
||
"completed_stage": "S4.12 workflow / secret 名稱 owner response redaction examples",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "redaction examples 只示範安全回覆形狀,stored_raw_payload_allowed=false,尚未收到 owner response,也不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_12_workflow_secret_name_owner_response_collection_checks",
|
||
"display_order": 17,
|
||
"completed_stage": "S4.12 workflow / secret 名稱 owner response collection checks",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離,received_response_count=0、accepted_response_count=0,不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_12_workflow_secret_name_owner_response_intake_preflight_checks",
|
||
"display_order": 18,
|
||
"completed_stage": "S4.12 workflow / secret 名稱 owner response intake preflight checks",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "intake preflight checks 只分類可審、補證、隔離或拒收,received_response_count=0、accepted_response_count=0,不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_13_owner_response_validation_evidence_routing_rules",
|
||
"display_order": 19,
|
||
"completed_stage": "S4.13 owner response validation evidence routing rules",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "evidence routing rules 只決定 owner evidence pointer 應補證、隔離、拒收、進跨包 review 或只讀更新,received_response_count=0、accepted_response_count=0,不代表 approval、runtime gate 或 execution authorization。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_13_owner_response_validation_display_sections",
|
||
"display_order": 20,
|
||
"completed_stage": "S4.13 owner response validation display sections",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "display sections 只固定 AwoooP Operator Console 的 read-only 呈現順序,received_response_count=0、accepted_response_count=0,不代表 approval、runtime gate、execution queue 或 action button。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_13_owner_response_validation_state_transition_rules",
|
||
"display_order": 21,
|
||
"completed_stage": "S4.13 owner response validation state transition rules",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "state transition rules 只固定 owner response validation 的 read-only 狀態語義,received_response_count=0、accepted_response_count=0,不代表 approval、runtime gate、execution queue 或 action button。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_13_owner_response_validation_reviewer_checklist",
|
||
"display_order": 22,
|
||
"completed_stage": "S4.13 owner response validation reviewer checklist",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "reviewer checklist 只提供人工審查順序與只讀檢查提示,received_response_count=0、accepted_response_count=0,不代表 approval、runtime gate、execution queue 或 action button。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_13_owner_response_validation_reviewer_outcome_lanes",
|
||
"display_order": 23,
|
||
"completed_stage": "S4.13 owner response validation reviewer outcome lanes",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "reviewer outcome lanes 只把人工檢查結果分類成等待、補證、隔離、拒收、跨包 review、只讀更新候選或等待 runtime gate,received_response_count=0、accepted_response_count=0,不代表 approval、runtime gate、execution queue 或 action button。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
},
|
||
{
|
||
"delta_id": "s4_13_owner_response_validation_reviewer_audit_event_templates",
|
||
"display_order": 24,
|
||
"completed_stage": "S4.13 owner response validation reviewer audit event templates",
|
||
"progress_axis": "framework_detail",
|
||
"headline_percent_delta": 0,
|
||
"framework_delta_visible": true,
|
||
"why_headline_unchanged": "reviewer audit event templates 只定義未來可留痕的脫敏 metadata 形狀,emitted_event_count=0、received_response_count=0、accepted_response_count=0,不代表 production ingestion、approval、runtime gate 或 execution authorization。",
|
||
"runtime_delta": false,
|
||
"execution_authorized": false,
|
||
"not_authorization": true
|
||
}
|
||
],
|
||
"next_safe_actions": [
|
||
{
|
||
"action_id": "mirror_owner_response_validation_rollup",
|
||
"title": "AwoooP 顯示四包 owner response 驗收總覽",
|
||
"mode": "observe",
|
||
"source_contract": "source_control_owner_response_validation_rollup_v1",
|
||
"allowed_processing": [
|
||
"顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets",
|
||
"顯示 22 個 templates、received=0、accepted=0、rejected=0",
|
||
"顯示 10 個 cross-packet acceptance checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates 與 quarantine rules",
|
||
"只更新 read-only wording、matrix 或 readiness evidence"
|
||
],
|
||
"blocked_processing": [
|
||
"把 validation rollup 當成 approval",
|
||
"把 validation rollup 當成 runtime authorization",
|
||
"新增 repo / refs / workflow / secret / runner / primary action button"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_status_rollup_to_awooop",
|
||
"title": "AwoooP 顯示資安供應鏈總覽",
|
||
"mode": "observe",
|
||
"source_contract": "security_mirror_status_rollup_v1",
|
||
"allowed_processing": [
|
||
"顯示階段狀態、contract readiness、approval queue summary",
|
||
"顯示下一個 gate",
|
||
"寫入 audit evidence"
|
||
],
|
||
"blocked_processing": [
|
||
"把 rollup 當成 runtime authorization",
|
||
"新增 scan / execute / repo / refs action button",
|
||
"把 LOW / MEDIUM observation 變成 blocking gate"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_approval_review_packets",
|
||
"title": "AwoooP 顯示 8 個人工審查封包",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_approval_review_packet_v1",
|
||
"allowed_processing": [
|
||
"顯示 review order、review lane、required reviewers 與 requested decision",
|
||
"顯示仍然禁止事項與 follow-up runtime gate",
|
||
"將人工決策另寫入 security_approval_decision_record_v1"
|
||
],
|
||
"blocked_processing": [
|
||
"把 review packet 當成批准",
|
||
"把 review packet 當成 execution authorization",
|
||
"新增 scan / execute / repo / refs action button"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_approval_state_transitions",
|
||
"title": "AwoooP 顯示人工決策後狀態轉移",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_approval_state_transition_v1",
|
||
"allowed_processing": [
|
||
"顯示 approve/reject/defer/request_more_evidence/keep_blocked 的 next state",
|
||
"顯示 approve_scope 仍需 follow-up runtime gate",
|
||
"將實際決策另寫入 security_approval_decision_record_v1"
|
||
],
|
||
"blocked_processing": [
|
||
"把 state transition 當成執行命令",
|
||
"批准後立即執行 scan / execute / repo / refs 動作",
|
||
"把 LOW / MEDIUM observation 變成 blocking gate"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_followup_runtime_gate_templates",
|
||
"title": "AwoooP 顯示後續 runtime gate 準備模板",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_followup_runtime_gate_v1",
|
||
"allowed_processing": [
|
||
"顯示 minimum evidence、preflight checks 與 rollback/disable requirement",
|
||
"顯示 active_runtime_gates=0",
|
||
"提醒 approve_scope 後仍需獨立 runtime gate"
|
||
],
|
||
"blocked_processing": [
|
||
"啟用 runtime gate",
|
||
"新增 scan / execute / repo / refs action button",
|
||
"把 template 當成執行授權"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_redacted_finding_ingestion",
|
||
"title": "先審 redacted finding ingestion adapter",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_approval_queue_v1",
|
||
"allowed_processing": [
|
||
"依 security_approval_gate_v1 人工審查是否可設計 redacted security_finding_v1 ingestion",
|
||
"依 security_approval_decision_record_v1 記錄人工決策",
|
||
"維持只接收摘要與 evidence_ref",
|
||
"保留 patch-only / review gate"
|
||
],
|
||
"blocked_processing": [
|
||
"保存 raw secret/token/cookie/private key/exploit payload",
|
||
"讓 AwoooP 直接啟動 scan",
|
||
"自動修復或自動封鎖 deploy"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_gitea_readonly_inventory",
|
||
"title": "審查 Gitea private/internal 只讀 inventory",
|
||
"mode": "approval_required",
|
||
"source_contract": "gitea_repo_inventory_v1",
|
||
"allowed_processing": [
|
||
"顯示 S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation request 與 coverage gap",
|
||
"顯示 5 個 owner attestation items、received_attestation_count=0 與 accepted_attestation_count=0",
|
||
"顯示 S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response templates、intake preflight checks、outcome lanes、received_response_count=0、audit_events_emitted=0 與 rejection rules",
|
||
"在 security_approval_queue_v1、security_approval_gate_v1、security_approval_review_packet_v1 與 security_followup_runtime_gate_v1 中顯示 S4.7 owner attestation 先行條件",
|
||
"使用 read-only token 或 redacted admin export 補齊 repo list",
|
||
"收到 payload 後只做 schema / redaction / coverage gap 驗收與隔離",
|
||
"只保存 token_present=true/false",
|
||
"更新 migration matrix 與 decision table"
|
||
],
|
||
"blocked_processing": [
|
||
"保存 token value",
|
||
"使用 write-capable token",
|
||
"未完成 S4.7 owner attestation 就標記 inventory complete",
|
||
"把 S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 或 response packet 當成 read-only inventory 已執行、audit production ingestion 或 primary approval",
|
||
"把 S4.7 owner attestation request 當成 repo migration approval",
|
||
"把 S4.6 payload 驗收當成 primary approval",
|
||
"建立 GitHub repo 或 sync refs"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_github_target_decisions",
|
||
"title": "逐 repo 審 GitHub target / owner / visibility / canonical",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_approval_board_v1",
|
||
"allowed_processing": [
|
||
"顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、received_response_count=0 與 rejection rules",
|
||
"逐 repo 更新 owner / visibility / canonical decision",
|
||
"產生 draft reconcile plan 或 ADR",
|
||
"維持 refs action disabled"
|
||
],
|
||
"blocked_processing": [
|
||
"把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval",
|
||
"建立 repo",
|
||
"修改 visibility",
|
||
"push / delete refs",
|
||
"切 GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_ref_truth_owner_responses",
|
||
"title": "審查 refs truth owner response 收件包",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_ref_truth_classification_v1",
|
||
"allowed_processing": [
|
||
"顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、received_response_count=0 與 rejection rules",
|
||
"依 main/dev truth、deprecated drift、release tag、GitHub-only refs 分組給 owner 判定",
|
||
"response 通過後只更新 read-only classification、draft reconcile plan 與 readiness blocker wording",
|
||
"維持 refs action disabled"
|
||
],
|
||
"blocked_processing": [
|
||
"把 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 refs sync、delete、force push 或 primary approval",
|
||
"fetch / push / delete refs",
|
||
"rewrite branch 或 tag",
|
||
"切 GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_github_primary_readiness_gate",
|
||
"title": "審查 GitHub primary readiness blockers",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_primary_readiness_gate_v1",
|
||
"allowed_processing": [
|
||
"顯示 7 個 in-scope repos 仍 blocked",
|
||
"顯示 Gitea inventory、refs truth owner response、workflow/secret name parity 與 rollback ADR 缺口",
|
||
"要求 repo owner 補 owner / visibility / canonical 決策"
|
||
],
|
||
"blocked_processing": [
|
||
"建立 GitHub repo",
|
||
"sync refs",
|
||
"切 GitHub primary",
|
||
"停用或封存 Gitea repo"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_github_primary_rollback_adr",
|
||
"title": "審查 GitHub primary rollback ADR 草案",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_primary_rollback_adr_v1",
|
||
"allowed_processing": [
|
||
"顯示 7 個 in-scope repos 的 rollback ADR draft",
|
||
"顯示 owner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0",
|
||
"顯示 rollback triggers、validation windows 與仍禁止事項"
|
||
],
|
||
"blocked_processing": [
|
||
"執行 rollback",
|
||
"切 GitHub primary",
|
||
"sync refs 或修改 webhook",
|
||
"停用 Gitea"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_workflow_secret_name_inventory",
|
||
"title": "審查 workflow / secret 名稱 inventory 缺口",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_workflow_secret_name_inventory_v1",
|
||
"allowed_processing": [
|
||
"顯示 8 個 candidate repos 的 inventory lanes、4 個 repos 的 local evidence 與 7 個 repos 的 redacted export request",
|
||
"顯示 S4.12 owner response request packet、template statuses、audit event templates、redaction examples、collection checks、intake preflight checks、templates、received_response_count=0 與 rejection rules",
|
||
"要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot",
|
||
"顯示 GitHub hosted runner 額度風險與 self-hosted runner owner review lane",
|
||
"response 通過後只更新 read-only inventory、export request 與 readiness blocker wording",
|
||
"只保存 secret name、owner 與 present/absent metadata,不保存 value"
|
||
],
|
||
"blocked_processing": [
|
||
"把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 workflow 修改、secret 建立、runner 啟用或 primary approval",
|
||
"收集或保存 secret value",
|
||
"修改 workflow 或 webhook",
|
||
"啟用 GitHub hosted runner 或消耗 GitHub Actions 額度",
|
||
"rotate secret",
|
||
"sync refs 或切 GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "keep_kali_execute_blocked",
|
||
"title": "Kali /execute 維持 block candidate",
|
||
"mode": "block_candidate",
|
||
"source_contract": "kali_scan_scope_approval_v1",
|
||
"allowed_processing": [
|
||
"只設計 disable / allowlist / audit gate",
|
||
"保留人工 exception 記錄",
|
||
"持續顯示 blocked reason"
|
||
],
|
||
"blocked_processing": [
|
||
"AwoooP runtime 直接呼叫 /execute",
|
||
"把 /execute 當成一般 MCP action",
|
||
"執行 shell command 自動修復"
|
||
]
|
||
}
|
||
],
|
||
"session_sync_notes": [
|
||
"本 rollup 是跨 Session 的共同讀取入口,避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
|
||
"S2/S3 目前仍屬框架期;狀態與人工 gate 可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
|
||
"S3.1 只新增人工決策紀錄格式;決策紀錄仍維持 execution_authorized=false,不可直接跳到執行面。",
|
||
"S3.2 只新增人工審查封包格式;review packet 只讓 AwoooP 顯示與準備人審,不代表批准。",
|
||
"S3.3 只新增人工決策狀態轉移語義;approve_scope 只進入 waiting runtime gate,不代表可立即執行。",
|
||
"S3.4 只新增後續 runtime gate 準備模板;active_runtime_gates=0,不新增 action button。",
|
||
"S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。",
|
||
"S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。",
|
||
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。",
|
||
"S4.3 只新增 redacted export request package;export_request_count=7、export_lane_count=5、write_token_allowed=false,不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。",
|
||
"S4.4 只新增 GitHub primary rollback ADR 草案;repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false,不切 primary、不執行 rollback。",
|
||
"S4.5 只新增 Gitea authenticated inventory export request;public_only_repo_count=2、local_gitea_unique_repo_count=4、export_source_option_count=2、token_value_collection_allowed=false,不使用 token、不寫入 Gitea、不 sync refs。",
|
||
"S4.6 只新增 Gitea redacted import acceptance;received_payload_count=0、accepted_payload_count=0,不匯入 DB dump/git object、不寫 Gitea、不切 primary。",
|
||
"S4.7 只新增 Gitea owner coverage attestation request;required_attestation_item_count=5、received_attestation_count=0,不把 attestation 當 migration approval。",
|
||
"S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件;approval_queue_total 仍為 8、active_runtime_gates 仍為 0,不新增執行入口。",
|
||
"S4.9 只新增 Gitea owner attestation response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 與 response 收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_display_section_count=8、owner_response_collection_check_count=6、required_response_item_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 或 response packet 當 inventory 執行、audit production ingestion 或 primary approval。",
|
||
"S4.10 新增 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=7、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。",
|
||
"S4.11 已新增 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 refs sync、delete、force push 或 GitHub primary approval。",
|
||
"S4.12 只新增 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、audit_events_emitted=0、response_template_count=5、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。",
|
||
"S4.13 只新增 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes 與 reviewer audit event templates;response_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、owner_response_evidence_routing_rule_count=6、owner_response_validation_display_section_count=8、owner_response_validation_state_transition_rule_count=7、owner_response_validation_reviewer_checklist_count=9、owner_response_validation_reviewer_outcome_lane_count=7、owner_response_validation_reviewer_audit_event_template_count=4、reviewer_audit_events_emitted=0、next_collection_candidate=S4.9,不把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes 或 reviewer audit event templates 當 approval、runtime gate 或 execution authorization。"
|
||
],
|
||
"forbidden_actions": [
|
||
"start_kali_scan",
|
||
"call_kali_execute_endpoint",
|
||
"run_credentialed_scan",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"auto_merge",
|
||
"production_deploy",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload",
|
||
"turn_low_medium_observations_into_blocking_gates"
|
||
]
|
||
}
|